Information Practice Principles:
Recognizing the Challenges and
Opportunities Ahead
Andrew Proia,* Drew Simshaw** & Kris
Hauser***
ABSTRACT
Rapid technological innovation has made commercially accessible consumer robotics a reality. At the same time, individuals and organizations are turning to “the cloud” for more convenient and cost effective data storage and management. It seemed only inevitable that these two technologies would merge to create cloud robotics, “a new approach to robotics that takes advantage of the Internet as a resource for massively parallel computation and sharing of vast data resources.” By making robots lighter, cheaper, and more efficient, cloud robotics could be the catalyst for a mainstream consumer robotics marketplace. However, this new industry would join a host of modern consumer technologies that seem to have rapidly outpaced the legal and regulatory regimes
© 2015 Andrew Proia, Drew Simshaw & Kris Hauser
* 2013–2014 Information Security Law & Policy Fellow, Indiana University Center for Applied Cybersecurity Research, J.D., Indiana University Maurer School of Law, 2013, B.S. in Criminal Justice, University of Central Florida, 2010. A working draft of this Article was presented at the We Robot 2014 Conference and benefited from the thoughtful comments by the Conference’s attendees. The authors would like to also thank Professor Fred H. Cate for his thoughtful comments, as well as Dr. David Crandall and Dr. Selma Šabanović for their invaluable insight and contributions to numerous roundtable discussions that formed the basis of this Article.
** Policy Analyst, Indiana University Center for Law, Ethics, and Applied Research in Health Information, J.D., Indiana University Maurer School of Law, 2012, B.A. in Political Science, University of Washington, 2007. *** Associate Professor, Duke University Pratt School of Engineering, Ph.D. in Computer Science, Stanford University, 2008, B.A. in Computer Science & B.A. in Mathematics, University of California at Berkeley, 2003.
implemented to protect consumers. Recently, consumer advocates and the tech industry have focused their attention on information privacy and security, and how to establish sufficient safeguards for the collection, retention, and dissemination of personal information while still allowing technologies to flourish. Underlying a majority of these proposals are a set of principles that address how personal information should be collected, used, retained, managed, and deleted, known as the Fair Information Practice Principles (FIPPs). This Article examines recent frameworks that articulate how to apply the FIPPs in a consumer setting, and dissects how these frameworks may affect the emergence of cloud-enabled domestic robots. By considering practical observations of how cloud robotics may emerge in a consumer marketplace regulated by the FIPPs, this research will help both the information privacy and robotics fields in beginning to address privacy and security challenges from a law and policy perspective, while also fostering collaboration between roboticists and privacy professionals alike.
I. Cloud Robotics and Tomorrow’s Domestic Robots ... 152
II. The Backbone of Consumer Privacy Regulations and Best Practices: The Fair Information Practice Principles ... 158
A. A Look at the Fair Information Practice Principles .. 158
B. The Consumer Privacy Bill of Rights ... 163
1. Scope ... 164
2. Individual Control... 165
3. Transparency... 166
4. Respect for Context... 167
5. Security... 168
6. Access and Accuracy ... 169
7. Focused Collection ... 169
8. Accountability... 170
C. The 2012 Federal Trade Commission Privacy Framework ... 171
1. Scope ... 172
2. Privacy by Design... 173
3. Simplified Consumer Choice ... 175
4. Transparency... 178
III. When the Fair Information Practice Principles Meet Cloud Robotics: Privacy in a Home or Domestic Environment... 179
A. The Data at Issue: Linkable Data and the “Sensitivity” of Data Collected by Cloud-Enabled Domestic Robots... 181
1. Information Linked to a Consumer or Cloud Robot ... 181
2. Sensitivity of Information Linked to a Consumer or Cloud Robot... 183
B. The Context of a Cloud-Enabled Robot Transaction: Data Collection, Use, and Retention Limitations ... 187
C. Adequate Disclosures and Meaningful Choices Between a Cloud-Enabled Robot and the User... 194
1. When Meaningful Choices Are Provided... 195
2. How Meaningful Choices Are Provided ... 198
D. Transparency & Privacy Notices ... 201
E. Security... 204
F. Access & Accuracy... 205
G. Accountability ... 206
IV. Approaching the Privacy Challenges Inherent in Consumer Cloud Robotics... 207
INTRODUCTION
At the 2011 Google I/O Conference, Google’s Ryan Hickman and Damon Kohler, and Willow Garage’s Ken Conley and Brian Gerkey, took the stage to give a rather intriguing presentation: Cloud Robotics, ROS for Java and Android.1
After giving a high-five to “PR2,” a two-armed mobile manipulator robot built by Willow Garage,2 Hickman
demonstrated how robots like PR2, while amazing, are typically limited to on-board data storage and processing, which have limited capabilities due to weight and power constraints.3 However, if robots were able to “tap into the
cloud,” as Hickman explained, the robot’s data storage and processing could be “moved” into a remote server farm, which would take over the role of performing compute-intensive operations, such as those involved in 3D perception and navigation planning.4What Hickman demonstrated during the
group’s presentation is a concept known as “cloud robotics,” a term accredited to Google Research Scientist Dr. James Kuffner that describes “a new approach to robotics that takes advantage of the Internet as a resource for massively parallel computation and real-time sharing of vast data resources.”5
While the term “cloud robotics” is relatively new, the idea of using remote computational resources to drive robots has existed for over a decade.6 In recent years, however, cloud
computing infrastructure has greatly matured to the point where cloud storage providers,7 computation providers,8 and
1. Google Developers, Google I/O 2011: Cloud Robotics, YOUTUBE(May 11, 2011), http://www.youtube.com/watch?v=FxXBUp-4800.
2. Id.; see also PR2: Overview, WILLOW GARAGE, http://www.willowgarage.com/pages/pr2/overview (last visited Nov. 8, 2014);
Software: Overview, WILLOW GARAGE, http://www.willowgarage.com/pages /software/overview (last visited Nov. 8, 2014).
3. Google Developers, supra note 1. 4. Id.
5. KENGOLDBERG& BENKEHOE, CLOUDROBOTICS ANDAUTOMATION: A SURVEY OF RELATED WORK 1 (2013), available at http://www.eecs.berkeley
.edu/Pubs/TechRpts/2013/EECS-2013-5.pdf.
6. See generally Masayuki Inaba et al., A Platform for Robotics Research
Based on the Remote-Brained Robot Approach, 19 INT’LJ. ROBOTICSRES. 933, 933–39 (2000) (proposing a framework for “the remote-brained robot approach”).
7. See, e.g., About Dropbox, DROPBOX, https://www.dropbox.com/about (last visited Nov. 8, 2014); Google Drive, GOOGLE, https://www.google
computational paradigms9 are now commonplace. Similar
infrastructure advances for cloud-enabled robots are beginning to take shape. With experts estimating that personal and domestic robot sales will reach over 15 million units, at a value of over $5 billion between 2013 and 2016,10an innovation like
cloud robotics could be a catalyst for the emergence of a mainstream consumer robot marketplace.
Cloud robotics as an industry, however, is very much in its infancy and still faces a number of challenges before it may be equated with mainstream tech devices like smartphones, tablets, and computers. As the creators of RoboEarth, a popular cloud robot architecture, have suggested, many legal,11moral,12
safety,13 and technical14 questions must be resolved before the
.com/drive/ (last visited Nov. 8, 2014); iCloud, APPLE, https://www.apple.com/icloud/ (last visited Nov. 8, 2014).
8. See, e.g., Amazon EC2, AMAZON, https://aws.amazon.com/ec2/ (last visited Nov. 8, 2014) (detailing the Amazon Elastic Compute Cloud web service); Microsoft Azure, MICROSOFT, http://azure.microsoft.com/en-us/ (last visited Jan. 3, 2014).
9. See, e.g., Jeffrey Dean & Sanjay Ghemawat, MapReduce: Simplified
Data Processing on Large Clusters 137 (USENIX 6th Symposium on Operating
Sys. Design & Implementation, 2004) (detailing Google’s MapReduce programming model); What Is Apache Hadoop?, HADOOP, http://hadoop.apache.org/ (last visited Nov. 8, 2014) (detailing the open source Apache Hadoop framework).
10. See INT’L FED’N OF ROBOTICS, EXECUTIVE SUMMARY, 2013 WORLD
ROBOTICS: SERVICE ROBOTS 18–19 (2013), available at
http://www.worldrobotics.org/uploads/tx_zeifr/Executive_Summary_WR_2013 _01.pdf.
11. See Markus Waibel et al., A World Wide Web for Robots—RoboEarth, ROBOTICS & AUTOMATIONMAG., June 2011, at 69, 79 (citing M. Ryan Calo,
Open Robotics, 70 MD. L. REV. 571 (2011)).
12. See Waibel et al., supra note 11 (citing M. Ryan Calo, Robots and
Privacy, in ROBOT ETHICS: THE ETHICAL AND SOCIAL IMPLICATIONS OF
ROBOTICS 187–98 (Patrick Lin et al. eds., 2012) [hereinafter Robots and
Privacy]).
13. See Waibel et al., supra note 11 (citing Koji Ikuta et al., Safety
Evaluation Method of Design and Control for Human-Care Robots, 22 INT’LJ. ROBOTICSRES. 281 (2003) (proposing a general method to evaluate safety of human care robots)).
14. See D. Lorencik & P. Sincak, Cloud Robotics: Current Trends and
Possible Use As a Service 85 (IEEE 11th Int’l Symposium on Applied Machine
Intelligence & Informatics, 2013) (“The main negative of using the cloud-based architecture is the possibility of losing the connection, and in this case, if robot uses the cloud services even for basic functionality, it will fail to do anything.”).
practice of operating in unstructured environments and sharing data among robots becomes integrated into our everyday lives. One open question in particular is what effect cloud-enabled consumer robotics, particularly domestic service robots, will have on consumer privacy.15
Privacy advocates, policymakers, and government regulators have taken a keen interest in protecting the privacy of consumer data now that the Internet has become “integral to economic and social life in the United States,” and as “[a]n abundance of data, inexpensive processing power, and increasingly sophisticated analytical techniques drive innovation in our increasingly networked society.”16 A number
of recent attempts to provide meaningful and standardized consumer privacy protections have produced “privacy frameworks” intended to balance technological innovation with reasonable data collection, use, and retention limits.17
Underlying the majority of these frameworks are a set of principles, first articulated in the 1970s, that address how personal information should be collected, used, retained, managed, and deleted, known as the Fair Information Practice Principles (FIPPs).18 The FIPPs have been adopted in various
forms, both nationally and internationally, as the foundational framework for both public and private sector entities to protect the privacy and integrity of personally identifiable information.19 However, with cloud robotics sure to create a
world in which independent machines “pool,” “share,” and “reuse” data, the integration of interconnected robots could 15. This Article borrows the definition of a “domestic service robot” as a robot “designed and priced for use within a home or other domestic environment.” Tamara Denning et al., A Spotlight on Security and Privacy
Risks with Future Household Robots: Attacks and Lessons, 105–06 (UBICOMP
11th Int’l Conf. on Ubiquitous Computing, 2009).
16. THE WHITE HOUSE, CONSUMER DATA PRIVACY IN A NETWORKED
WORLD: A FRAMEWORK FOR PROTECTING PRIVACY AND PROMOTING
INNOVATION IN THEGLOBAL DIGITALECONOMY5 (2012) [hereinafter WHITE
HOUSEPRIVACYREPORT].
17. E.g., FED. TRADE COMM’N, PROTECTING CONSUMER PRIVACY IN AN
ERA OF RAPID CHANGE: RECOMMENDATIONS FOR BUSINESSES AND
POLICYMAKERSv–vi (2012) [hereinafter 2012 FTC PRIVACYREPORT].
18. E.g., Robert Gellman, Fair Information Practices: A Basic History, BOB GELLMAN 1, http://bobgellman.com/rg-docs/rg-FIPShistory.pdf (last updated Aug. 3, 2014).
pose numerous challenges to FIPPs-based framework compliance.20
The privacy implications of robotics have been addressed from both legal and technical perspectives.21However, there is
a lack of understanding about how current consumer privacy standards and proposed frameworks could affect the future of robotics as it integrates with the cloud and moves into our homes.22 In particular, what practical challenges will cloud
robotics face if it becomes a mainstream consumer industry and attempts to comply with the FIPPs? Should the cloud robotics industry begin to understand these challenges now, and if so, why? How can roboticists open a dialog with privacy advocates, policymakers, and regulators on how best to maintain both innovation and consumer privacy expectations as robots begin to connect to the Internet? These questions form the basis of this Article.
Section I introduces the concept of cloud robotics. This Section examines how, historically, robots have been limited by 20. See, e.g., Waibel et al., supra note 11, at 70–71 (discussing pooled, shared, and reused data). See generally GOLDBERG & KEHOE, supra note 5 (“No robot is an island.”).
21. See, e.g., Robots and Privacy, supra note 12, at 187–98 (outlining “the effects of robots on privacy in[] three categories—direct surveillance, increased access, and social meaning . . . .”); Denning et al., supra note 15, at 105 (analyzing three household robots for security and privacy vulnerabilities, “identify[ing] key lessons and challenges for securing future household robots,” and proposing “a set of design questions aimed at facilitating the future development of household robots that are secure and preserve their users’ privacy”); Ryan Calo, They’re Watching. How Can That Be A Good Thing?, STAN. MAG., Jan.–Feb. 2014, at 2–3 (suggesting that robots will “focus us in on the effects of living among sophisticated surveillance technologies” and open a “policy window” in which to update privacy law and policy).
22. See Denning et al., supra note 15, at 105 (“[T]here is currently a marked void in the consideration of the security and privacy risks associated with household robotics.”). But see Aneta Podsiadła, What Robotics Can Learn
from the Contemporary Problems of Information Technology Sector: Privacy by Design as a Product Safety Standard—Compliance and Enforcement, in WE
ROBOT: GETTING DOWN TO BUSINESS 1, 1–3 (Stanford Univ. ed., 2013),
available at http://conferences.law.stanford.edu/werobot/wp-content /uploads/sites/29/2013/04/What-robotics-can-learn-from-the-contemporary-p roblems-of-Information-Technology-sector.-Privacy-by-Design-as-a-product-s afety-standard-compliance-and-enforcement.pdf (advocating for the adoption of “Privacy by Design” and “Security by Design” concepts to help minimize the privacy and security risks of domestic robots and proposing possible liability for robot manufacturers who fail to implement such concepts).
on-board, local processing and how cloud robotics, conversely, proposes a method to allow robots to “share knowledge and learn from each other’s experiences” in order to “perform complex and useful tasks in the unstructured world in which humans actually live.”23 Section II provides a brief history of
the FIPPs, with particular attention paid to their application in frameworks developed by the Federal Trade Commission (FTC) and the Obama Administration. Section III examines the unique FIPPs challenges facing cloud robotics within a domestic environment, such as a user’s home. Finally, Section IV highlights the importance of considering these challenges today, and proposes possible next steps for both the information privacy and robotics communities.
I. CLOUD ROBOTICS AND TOMORROW’S DOMESTIC ROBOTS
The concept of “robots” is hard to clearly define, but robots are commonly considered to be multi-function devices with the capability to sense the current environment and act on that environment using movement.24Currently, robots can be found
in a wide array of domains, from manufacturing, service, and medical robots, to robots used for national defense and space exploration.25 Service robots, particularly those operating in
domestic settings, have been deployed to assist people in their 23. P.H., Artificial Intelligence Networks: We, Robots, ECONOMIST (Jan. 21, 2014, 1:55 PM), http://www.economist.com/blogs/babbage/2014/01 /artificial-intelligence-networks.
24. See, e.g., Denning et al., supra note 15, at 105 (defining “robot” for their study as “a cyber-physical system with sensors, actuators, and mobility”); Bill Gates, A Robot in Every Home, SCI. AM., Jan. 2007, at 58 (“Although a few of the domestic robots of tomorrow may resemble the anthropomorphic machines of science fiction, a greater number are likely to be mobile peripheral devices that perform specific household tasks.”); Neil M. Richards & William D. Smart, How Should the Law Think About Robots? 5 (May 11, 2013) (unpublished manuscript), available at
http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2263363 (proposing the definition of “robot” to be “a constructed system that displays both physical and mental agency, but is not alive in the biological sense” and “is something manufactured that moves about the world, seems to make rational decisions about what to do, and is a machine”).
25. CONG. ROBOTICS CAUCUS ADVISORY COMM., A ROADMAP FOR U.S. ROBOTICS: FROM INTERNET TO ROBOTICS 3–4 (2013), available at http://www.cra.org/ccc/files/docs/2013-Robotics-Roadmap (outlining “Area Specific Conclusions” on a number of domains utilizing robotics).
daily lives, and compensate for mental and physical limitations.26 While experts predict that robots incorporating
“full-scale, general autonomous functionality” are still ten to fifteen years away,27 the impact that cloud capabilities can
have on robot intelligence could help bring service robots to a state of general autonomy sooner.
“Intelligence” is the connection between sensing and acting, which can be implemented in many ways.28 Simple
forms of intelligence include a set of fixed computational rules, such as if-then statements, or mathematical formulas, such as linear feedback controllers.29 However, the intelligence needed
to perform tasks expected of humans in unstructured environments, such as the home, must be much more complex.30Intelligent robots in domestic environments require
incorporating rich, diverse sources of knowledge including images, 3D maps, object identities and locations, movement patterns of human occupants, physics simulators, and previous experience interacting with the environment.31 As a result,
modern general-purpose domestic robots are implemented as very large software systems, composed of multiple modules running sophisticated algorithms, each of which require significant computational power.32
Cloud-enabled robots, on the other hand, can outsource these systems and components.33In cloud robotics, the software
for implementing intelligent or autonomous behavior is partially or fully shifted to “the cloud”—remote computers
26. Id. at 63. 27. Id. at 64.
28. See DAVID KORTENKAMP ET AL., ARTIFICIAL INTELLIGENCE AND
MOBILEROBOTS: CASESTUDIES OFSUCCESSFULROBOTSYSTEMS4, 8 (David Kortenkamp et al. eds., 1998).
29. See Rodney A. Brooks, Intelligence Without Representation, 47 ARTIFICIALINTELLIGENCE139, 139–59 (1991).
30. See CONG. ROBOTICSCAUCUSADVISORYCOMM., supra note 25, at 65– 67 (discussing the need for expanded research and development in the service robotics industry).
31. See id. at 67–72.
32. See, e.g., Why ROS?, ROS.ORG, http://www.ros.org/core-components/ (last visited Nov. 8, 2014) (identifying some of the core parts of the robot operating system, ROS).
communicating to the robot via the Internet.34 This moves the
locus of “intelligence” from onboard the robot to a remote service.35There are several advantages to such an architecture.
First, robots could be made cheaper because costs are reduced by eliminating the need for powerful onboard computers.36
Moreover, robots may be able to use cheaper sensor and actuator hardware because more powerful computing resources can sometimes compensate for the inaccuracies of the hardware.37Fewer onboard computers also means lower energy
usage and prolonged battery life, alleviating one of the great practical limitations currently faced by consumer robots.38
Second, the cloud may provide improved functionality. Computationally complex tasks, such as object recognition and planning, can be solved by “brute force” in the cloud with many parallel computers.39 Moreover, the cloud has easier access to
common information from the web and from other robots, which could improve the performance of tasks like object recognition due to the use of extensive existing databases on the web—such as image hosting web services like Google Image Search and Flickr—or the prior experience of other robots.40By
vastly improving access to data, cloud-enabled robots will be better equipped to recognize and interact with objects within their environments.41 Robots may also need to “call for help”
34. See id. 35. Id.
36. Erico Guizzo, Robots with Their Heads in the Clouds, IEEE SPECTRUM
(Feb. 28, 2011, 9:10 PM), http://spectrum.ieee.org/robotics/humanoids/robots -with-their-heads-in-the-clouds.
37. But see id. (“In particular, controlling a robot’s motion—which relies heavily on sensors and feedback—won’t benefit much from the cloud.”).
38. See Daniel J. Challou et al., Parallel Search Algorithms for Robot
Motion Planning, 2 PROC. IEEE INT’LCONF.ONROBOTICS& AUTOMATION46, 46–51 (1993).
39. See Patrizio Dazzi, A Tool for Programming Embarrassingly Task
Parallel Applications on CoW and NoW, ARXIV.ORG 1–2 (June 24, 2013), http://arxiv.org/pdf/1306.5782v1.pdf (providing an overview of parallel computing and listing examples of how the cloud can be effectively and efficiently used in this context).
40. E.g., Guizzo, supra note 36. 41. Id.
when in a jam, and human tele-operators may be able to help, similar to Amazon’s Mechanical Turk service.42
Finally, it is easier for a service provider to debug and update software on the cloud than in the consumer’s home.43
Software updates, for example, can occur seamlessly because a cloud service can update a cloud-enabled robot without having to physically access it.44 Likewise, human technicians can
perform remote debugging without physical access to the robot.45
Current cloud-enabled robots tend to use the cloud only for certain functions, such as object recognition, or to store large 3D maps.46 But it is not hard to imagine that in the near
future, a robot’s intelligence could be fully shifted to the cloud. The robot will then locally implement a “thin client” that transmits sensor data to the service and receives instructions from the service.47 The thin client may also perform some
limited processing, particularly for calculations that must be done at a high rate, such as maintaining a motor position, or responding quickly and safely to unexpected collisions.48
42. Amazon Mechanical Turk (Beta), AMAZON, http://aws.amazon.com /mturk/ (last visited Nov. 9, 2014).
43. What Is Cloud Robotics?, ROBOEARTH, http://roboearth.org/cloud _robotics/ (last visited Nov. 4, 2014) (“In addition, it removes overheads for maintenance and updates, and reduces dependence on custom middleware.”).
44. Id. 45. Id.
46. See, e.g., Markus Waibel & Gajan Mohanarajah, Mapping in the
Cloud, ROBOHUB (Dec. 23, 2013), www.robohub.org/mapping-in-the-cloud/ (“[W]e have set up an inexpensive, light weight robot so that it can perform full 3D mapping in real-time by offloading heavy computation to the RoboEarth Cloud Engine.”).
47. A “thin client” system is one in which a computer or program relies on other computers or programs to accomplish a particular computation. See, e.g., Morgan Quigley et al., ROS: An Open-Source Robot Operating System, in ICRA WORKSHOP ON OPEN SOURCE SOFTWARE (2009), available at
http://www.willowgarage.com/sites/default/files/icraoss09-ROS.pdf (proposing a “‘thin’ ideology” for a cloud-based ROS system that “encourage[s] all driver and algorithm development to occur in standalone libraries that have no dependencies on ROS”).
48. See Agam Shah, Powerful Thin Clients May Be Alternatives to PCs, PCWORLD (May 23, 2013, 11:45 AM), http://www.pcworld.com/article /2039659/powerful-thin-clients-may-be-alternative-to-pcs.html (describing new thin clients introduced by Dell and Hewlett-Packard as now having faster processing, in part due to computing on the cloud, versus local computation).
Current cloud-enabled robots perform some limited perceptual processing to avoid transmitting huge amounts of sensor data, such as multiple video streams, to the cloud, but in the future it is likely that these bandwidth limitations will become less restrictive.49 In the fully cloud-enabled case, the cloud service
will see everything the robot sees.
It is not difficult to see that, if developed properly, cloud robotics could have a profoundly positive impact on the lives of millions. For example, the Institute for Alternative Futures (IAF) envisions a world where such technology will be able to help recovery from storms like cyclones by the early 2020s with the “innovation of humanitarian cloud robots that use[] software developed by an online community to detect cholera and other water-borne diseases.”50 In addition, “[t]he
integration of social media and crowd-sourcing [will help] direct cloud robots in carrying potable water over long distances to those most in need.”51 However, the group also warns that
cyber security breaches of cloud-enabled robots, like “home-based Eldercare robots,” could cause “public cyber security anxiety” leading to “stringent robotic manufacturing and licensing regulations.”52 By the late 2020s, the IAF predicts
that cyber security concerns could “ultimately slow[] robotics from realizing its full potential for offering societal benefits.”53
As cloud robotics concepts continue to advance, entities are beginning to recognize the potential benefits such an architecture could have for home or domestic service robots. RoboEarth, for instance, is a well-known cloud robotics infrastructure based in Europe “that allows any robot with a network connection to generate, share, and reuse data.”54 The
goal of RoboEarth is “to use the Internet to create a giant open 49. See, e.g., Waibel & Mohanarajah, supra note 46 (viewing bandwidth as “a key driver for cloud-based robot services” and demonstrating a robot performing “full 3D mapping in real-time”).
50. Ben Sheppard & Trevor Thompson, Cyber Security for Robots:
Scenarios for 2030—Cyber-Enhanced Well-Being or Artificial Retardation?,
INST. ALTERNATIVE FUTURES 3 (Feb. 3, 2014), http://www.robotics businessreview.com/pdfs/Cyber_Security_for_Robots_Scenarios_IAF_5_Feb_20 14_%281%29.pdf.
51. Id. 52. Id. 53. Id.
source network database that can be accessed and continually updated by robots around the world,” thus allowing robots to enter “unstructured environments” and operate in the real world.55 RoboEarth hopes that its architecture will create a
“World Wide Web for robots” that will allow robots to operate efficiently in environments such as homes and hospitals.56 In
early 2014, the RoboEarth Consortium announced their fourth demonstration of RoboEarth, which featured “four robots collaboratively working together to help patients in a hospital.”57Google has set its sights on a robot marketplace as
well, and in 2013, Google “acquired seven technology companies in an effort to create a new generation of robots.”58
Google has also helped the advancement of cloud robotics with its products, such as Google Glass, which researchers have used for object recognition to implement robot-grasping tasks.59
From a privacy perspective, cloud robotics reveals a number of noteworthy characteristics. First, given the complexity of enabling robots to operate in an unstructured environment, the “datafication” of a robot’s environment will be expansive and necessary.60 This collection will include the
detailed mapping of buildings and rooms, as well as particular data on objects within that environment, including data that will help determine what the object is and where the object is located.61 Second, due to this unstructured environment,
55. See Motivation, ROBOEARTH, http://roboearth.org/motivation (last visited Nov. 4, 2014).
56. See Waibel et. al., supra note 11, at 70–71.
57. Gajamohan Mohanarajah, RoboEarth 4th Year Demonstration, ROBOEARTH(Jan. 13, 2014), http://roboearth.org/roboearth-public-demo-mini-s ymposium/.
58. John Markoff, Google Puts Money on Robots, Using the Man Behind
Android, N.Y. TIMES, Dec. 4, 2013, at A1.
59. Ben Kehoe et al., Cloud-Based Robot Grasping with the Google Object
Recognition Engine, 2013 IEEE INT’L CONF. ON ROBOTICS & AUTOMATION
4263, 4263 (2013), available at http://ieeexplore.ieee.org/stamp/stamp.jsp?tp= &arnumber=6631180.
60. “Datafication,” coined by Viktor Mayer-Schönberger and Kenneth Cukier, is the act of transforming something into “a quantified format so it can be tabulated and analyzed.” VIKTOR MAYER-SCHÖNBERGER & KENNETH
CUKIER, BIGDATA: A REVOLUTION THAT WILL TRANSFORM HOWWELIVE, WORK,ANDTHINK76–78 (2013).
61. See Waibel & Mohanarajah, supra note 46 (“Performing mapping in the cloud not only allows the creation of maps but also the ability to
unforeseen obstacles may make the data necessary to complete a specific task unknown at the time in which the data was collected.62 Finally, the goal of pooling, sharing, and reusing
data as a method of allowing robots to react and respond to unstructured environments suggests that data will not be used for a single purpose, but will be part of a complex architecture that may entail repurposing data for other tasks and for other robots.63 It is this widespread and almost instantaneous
collection of data, appropriation of data for unanticipated purposes, and sharing of data across multiple robots that raises privacy concerns and necessitates careful consideration of privacy best practices.
II. THE BACKBONE OF CONSUMER PRIVACY REGULATIONS AND BEST PRACTICES: THE FAIR
INFORMATION PRACTICE PRINCIPLES A. A LOOK AT THEFAIRINFORMATIONPRACTICEPRINCIPLES
The FIPPs have been described as the “Gold Standard” for protecting personal information.64 Robert Gellman, a noted
privacy and information policy consultant, has described the FIPPs as a “set of internationally recognized practices for addressing the privacy of information about individuals.”65The
understand them: By bringing computation close to the knowledge required to make sense of all of a robot’s sensor information, Cloud Robotics offers robots a very powerful way to understand the world around them.”).
62. Hani Hagras & Tarek Sobh, Intelligent Learning and Control of
Autonomous Robotic Agents Operating in Unstructured Environments, 145
INFO. SCI. 1, 2 (2002) (“[I]t is not possible to have exact and complete prior knowledge of [changing unstructured] environments: many details are usually unknown, the position of people and objects cannot be predicted a priori, passageways may be blocked, and so on.”).
63. P.H., supra note 23 (reporting comments made by RoboEarth scientists that “the ‘nuanced and complicated’ nature of life” outside controlled environments “cannot be defined by a limited set of specifications,” and “to perform complex and useful tasks in the unstructured world in which humans actually live, robots will need to share knowledge and learn from each other’s experiences”).
64. See Fair Information Practice Principles (FIPPs) Privacy Course, BERKELEYSECURITY, https://security.berkeley.edu/fipps (last visited Nov. 4, 2014) (“Although these principles are not laws, they form the backbone of privacy law and provide guidance in the collection, use and protection of personal information.”).
Obama Administration has defined the FIPPs as “the widely accepted framework of defining principles to be used in the evaluation and consideration of systems, processes, or programs that affect individual privacy.”66 At their inception,
the FIPPs “reflected a wide consensus about the need for broad standards to facilitate both individual privacy and the promise of information flows in an increasingly technology-dependent, global society.”67
The FIPPs’ origins are largely attributed to a 1973 report,
Records, Computers, and the Rights of Citizens, issued by the
Department of Health, Education, and Welfare’s Advisory Committee on Automated Personal Data Systems.68 While
investigating advancements in record-keeping systems, the Advisory Committee found that “a person’s privacy is poorly protected against arbitrary or abusive record-keeping practices.”69 In order to diminish such practices, the report
called for the enactment of a federal “Code of Fair Information Practice[s]” that would result in the core cannons of the FIPPs.70
The FIPPs were articulated in their most influential form in 1980 by the Organization for Economic Co-operation and 66. THEWHITEHOUSE, NATIONALSTRATEGY FORTRUSTEDIDENTITIES IN
CYBERSPACE: ENHANCING ONLINE CHOICE, EFFICIENCY, SECURITY, AND
PRIVACY45 (2011).
67. Fred H. Cate, The Failure of Fair Information Practice Principles, in CONSUMERPROTECTION IN THEAGE OF THEINFORMATIONECONOMY341, 341 (Jane K. Winn ed., 2006).
68. DEP’T OF HEALTH, EDUC. & WELFARE, RECORDS, COMPUTERS, AND THERIGHTS OFCITIZENS: REPORT OF THESECRETARY’SADVISORYCOMMITTEE ONAUTOMATEDPERSONALDATASYSTEMSix–xxxv (1973). Gellman notes that, at the same time as the Health, Education, and Welfare Report, a “Committee on Privacy” in Great Britain proposed many of the same principles. Gellman,
supra note 18, at 3–4. In addition, the 1977 report by the Privacy Protection
Study Commission, Protecting Privacy in an Information Society, “may have contributed to the development of [the FIPPs] . . . .” Id. at 4.
69. DEP’T OFHEALTH, EDUC. & WELFARE, supra note 68, at xx.
70. These principles included the following: “There must be no personal data record-keeping systems whose very existence is secret”; “[t]here must be a way for an individual to find out what information about him is in a record and how it is used”; “[t]here must be a way for an individual to prevent information about him that was obtained for one purpose from being used or made available for other purposes without his consent”; and, “[t]here must be a way for an individual to correct or amend a record of identifiable information about him.” Id.
Development (OECD).71 Finding at the time that there was a
“danger that disparities in national legislations could hamper the free flow of personal data across frontiers” that “could cause serious disruption in important sectors of the economy,”72 the
OECD sought “to develop Guidelines which would help to harmonise national privacy legislation and, while upholding such human rights, would at the same time prevent interruptions in international flows of data.”73 The result, the
OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, represented “a consensus on basic
principles which can be built into existing national legislation, or serve as a basis for legislation in those countries which do not yet have it.”74These principles, reaffirmed in 2013, include:
collection limitation, data quality, purpose specification, use limitation, security safeguards, openness, individual participation, and accountability.75
The FIPPs have been employed in many “different formulations coming from different countries and different sources over the decades,”76 with several structural
71. Both the White House Consumer Privacy Bill of Rights and the Federal Trade Commission Privacy Framework, discussed infra Part II, have cited the OECD guidelines as guiding the creation of these more contemporary frameworks. See Gellman, supra note 18, at 6–7.
72. ORG.FORECON. CO-OPERATION& DEV., OECD GUIDELINES ON THE
PROTECTION OF PRIVACY AND TRANSBORDER FLOWS OF PERSONAL DATA
(1980), available at http://www.oecd.org/internet/ieconomy/oecdguidelineson theprotectionofprivacyandtransborderflowsofpersonaldata.htm.
73. Id. 74. Id.
75. See ORG. FOR ECON. CO-OPERATION & DEV., THE OECD PRIVACY
FRAMEWORK 13–15 (2013). In addition to reaffirming the traditional principles, the 2013 revisions aimed “to assess the Guidelines in light of ‘changing technologies, markets and user behaviour, and the growing importance of digital identities.’” Id. at 3. The new concepts introduced in the revised OECD Guidelines include “[n]ational privacy strategies,” describing how “a multifaceted national strategy co-ordinated at the highest levels of government” is required for “the strategic importance of privacy today,” “[p]rivacy management programmes,” which “serve as the core operational mechanism through which organisations implement privacy protection,” and “[d]ata security breach notification,” a new provision that “covers both notice to an authority and notice to an individual affected by a security breach affecting personal data.” Id. at 4.
76. Gellman, supra note 18, at 1. But see Cate, supra note 67, at 341 (arguing that the FIPPs integration into U.S. and European law has caused the FIPPs to be “reduced to narrow, legalistic principles”).
commonalities existing among them: (1) a delineation of scope; (2) procedural principles; and (3) substantive principles. The delineation of scope determines when fair information practices should apply, typically triggered by the information being collected or used.77 The procedural principles “address how
personal information is collected and used by governing the methods by which data collectors and data providers interact,” and “ensure that [individuals] have notice of, and consent to, an entity’s information practices.”78The substantive principles
“impose substantive limitations on the collection and use of personal information, regardless of consumer consent, by requiring that only certain information be collected and that such information only be used in certain ways.”79Overall, when
many speak of “the FIPPs,” the principles they typically have in mind are the eight principles articulated in the OECD guidelines.
With the advent of the Internet, the tremendous increase in the collection and use of consumer data, and the increasing ubiquity of devices capable of collecting and storing more data, regulators have recently focused on developing ways in which the FIPPs can meet the data privacy challenges posed by modern technologies. Unlike other international regulations, no omnibus U.S. law regulates the use or collection of personal consumer data.80 Federal statutes in the United States have
been enacted that regulate data privacy and security practices for only a small subset of industry sectors and for particular
77. Most FIPPs-centric frameworks and regulations provide a subjective scope, recommending that the FIPPs apply only when the information is “sensitive” or “personally identifiable.” See infra Parts II.B.1–C.1. However, this is not always the case. See Paul M. Schwartz & Daniel J. Solove,
Reconciling Personal Information in the United States and European Union,
102 CALIF. L. REV. 877, 888–89 (2014) (explaining different U.S. approaches to determining personally indefinable information, including the “specific-types” approach).
78. FED. TRADECOMM’N, PRIVACYONLINE: A REPORT TOCONGRESS48–49 n.28 (1998).
79. Id.
80. Mary J. Culnan & Robert J. Bies, Consumer Privacy: Balancing
Economic and Justice Considerations, 59 J. SOCIALISSUES323, 332 (2003) (“Currently the U.S. government has adopted a reactive approach to addressing consumer privacy. For example, Congress typically . . . focuses on developing a narrowly-targeted (sectoral in contrast to omnibus) solution.”).
types of data.81To some, such a regulatory scheme has resulted
in “uneven protection for personal information and unequal treatment, even for similarly situated industry players.”82
Recognizing the need for modernized and universal information privacy and security practices, federal policymakers have started crafting updated privacy best practices that are based largely on the FIPPs and which reflect current commercial norms.83 These recent frameworks attempt to balance the
FIPPs with more flexible practices for companies. Many policymakers herald these frameworks as effective in providing consumer privacy best practices in our data-dependent society, and have advocated for legislation that would require companies to implement these baseline practices.84
Two recent frameworks offer a foundation on which to examine how cloud robotics may be affected by current calls for consumer privacy protection: the White House’s Consumer Privacy Bill of Rights in its report, Consumer Data Privacy in a
Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Economy, and the FTC’s
Privacy Framework in its report, Protecting Consumer Privacy
in an Era of Rapid Change: Recommendations for Businesses and Policymakers (“FTC Report”).85 These frameworks do not
establish new FIPPs, but instead attempt to embody the 81. See Kenneth A. Bamberger & Deirdre K. Mulligan, Privacy on the
Books and on the Ground, 63 STAN. L. REV. 247, 255–56 (2011). The FTC, as well, has become more aggressive in utilizing its enforcement authority under Section 5 of the Federal Trade Commission Act to regulate companies who have engaged in unfair or deceptive data privacy and security practices. See,
e.g., Decision and Order, Facebook, Inc., F.T.C. No. 092 3184 (Aug. 10, 2012), available at http://www.ftc.gov/sites/default/files/documents/cases/2012/08 /120810facebookdo.pdf (alleging unfair and deceptive privacy practices concerning Facebook’s 2009 change to its privacy controls). See generally Daniel J. Solove & Woodrow Hartzog, The FTC and the New Common Law of
Privacy, 114 COLUM. L. REV. 583 (2014).
82. Bamberger & Mulligan, supra note 81, at 257. 83. See 2012 FTC PRIVACYREPORT, supra note 17, at i–ii.
84. See id. at 12–14 (“[T]he commission calls on Congress to consider enacting baseline privacy legislation that is technologically neutral and sufficiently flexible . . . .”); see also WHITEHOUSEPRIVACYREPORT, supra note 16, at 1–3 (“The Administration will encourage stakeholders to implement the Consumer Privacy Bill of Rights through codes of conduct and will work with Congress to enact these rights through legislation.”).
85. WHITEHOUSEPRIVACY REPORT, supra note 16; 2012 FTC PRIVACY
original concepts, like the OECD guidelines, “with some updates and changes in emphasis.”86 For instance, as this
Article demonstrates, these frameworks have adopted practices that focus on the “context of the transaction”87 or the
“sensitivity” of the data88 as methods for providing more
flexible practices for companies to determine what data can be collected, how it can be used, and how long it can be retained.
Because it is unlikely that cloud-enabled domestic robots will be subject to today’s industry-specific privacy regulations,89
privacy advocates and policymakers will likely look to the practices articulated in these frameworks to determine the adequacy of cloud robotics companies’ data practices. Thus, examining the Consumer Privacy Bill of Rights and the FTC Framework can assist in articulating challenges and developing discussion.
B. THECONSUMERPRIVACYBILL OFRIGHTS
In February 2012, the White House observed that, despite the fact that the current consumer data privacy framework was strong, it “lack[ed] two elements: a clear statement of basic privacy principles that apply to the commercial world, and a sustained commitment of all stakeholders to address consumer data privacy issues as they arise from advances in technologies and business models.”90 It is within this context that the
Obama Administration issued its report establishing a new privacy framework, the Consumer Privacy Bill of Rights. The report describes the Consumer Privacy Bill of Rights as “a blueprint for privacy in the information age” that “give[s] consumers clear guidance on what they should expect from
86. 2012 FTC PRIVACYREPORT, supra note 17, at 23. 87. See infra Part II.B.4.
88. See infra Parts II.B.1–C.1.
89. Cloud-enabled robots may, however, enter into commercial industry sectors that are in fact governed under specific information privacy regulations, such as the healthcare industry. See, e.g., HIPAA Privacy Rule, 45 C.F.R. pts. 160, 164 (2013) (governing the collection, use, and dissemination of “protected health information” by covered health entities). For the purposes of this Article, we assume that cloud-enabled domestic robots, and the companies that produce and maintain them, operate outside of these sector-specific regulations.
those who handle their personal information, and set[s] expectations for companies that use personal data.”91
As the Administration explains, “[t]he Consumer Privacy Bill of Rights applies comprehensive, globally recognized Fair Information Practice Principles . . . to the interactive and highly interconnected environment in which we live and work today.”92 The Administration acknowledges that “[t]he
Consumer Privacy Bill of Rights applies FIPPs to an environment in which processing of data about individuals is far more decentralized and pervasive than it was when FIPPs were initially developed.”93 To “carr[y] FIPPs forward,” the
Consumer Privacy Bill of Rights “affirms a set of consumer rights that inform consumers of what they should expect of companies that handle personal data,” while at the same time “recogniz[ing] that consumers have certain responsibilities to protect their privacy as they engage in an increasingly networked society.”94 The Consumer Privacy Bill of Rights
consists of seven principles: individual control, transparency, respect for context, security, access and accuracy, focused collection, and accountability.95 When applicable, the baseline
principle is outlined, followed by supplemental information detailing the principle.
1. Scope
“The Consumer Privacy Bill of Rights applies to commercial uses of personal data. This term refers to any data, including aggregations of data, which is linkable to a specific individual. Personal data may include data that is linked to a specific computer or other device.”96 The Administration
elaborates that “[t]his definition provides the flexibility that is necessary to capture the many kinds of data about consumers that commercial entities collect, use, and disclose.”97
91. Id. (introductory statement of President Barack Obama). 92. Id. at 1.
93. Id. at 9. 94. Id. 95. Id. at 10.
96. Id. (“For example, an identifier on a smartphone or family computer that is used to build a usage profile is personal data.”).
2. Individual Control
Consumers have a right to exercise control over what personal data companies collect from them and how they use it.98
This principle contains two “dimensions,” one placing obligations on companies and another defining the responsibilities of consumers.99 The first dimension of the
principle says, “at the time of collection, companies should present choices about data sharing, collection, use, and disclosure that are appropriate for the scale, scope, and sensitivity of personal data in question.”100 Consumer-facing
companies “should give [consumers] appropriate choices about what personal data the company collects, irrespective of whether the company uses the data itself or discloses it to third parties.”101Further, the Administration “encourages
consumer-facing companies to act as stewards of personal data that they and their business partners collect from consumers,” and believes that they “should seek ways to recognize consumer choices through mechanisms that are simple, persistent, and scalable from the consumer’s perspective.”102
In addition, the individual control principle has a second dimension regarding consumer responsibility.103 In cases such
as online social networks, where “the use of personal data begins with individuals’ decisions to choose privacy settings and to share personal data with others . . . consumers should evaluate their choices and take responsibility for the ones that they make.”104
98. Id. at 47. 99. Id. at 11.
100. Id. For example, in cases where a company has access to Internet usage histories capable of building profiles that may contain sensitive health or financial data, “choice mechanisms that are simple and prominent and offer fine-grained control of personal data use and disclosure may be appropriate.”
Id. On the other hand, “services that do not collect information that is
reasonably linkable to individuals may offer accordingly limited choices.” Id. 101. Id.
102. Id. 103. Id. at 13. 104. Id.
Finally, individual control contains a “right to withdraw consent to use personal data that the company controls.”105
According to the Administration, “[c]ompanies should provide means of withdrawing consent that are on equal footing with ways they obtain consent.”106 For this right to apply, the
consumer must have an ongoing relationship with the company because “the company must have a way to effect a withdrawal of consent to the extent the company has associated and retained data with an individual,” and therefore, “data that a company cannot reasonably associate with an individual is not subject to the right to withdraw consent.”107 Further, “the
obligation to respect a consumer’s withdrawal of consent only extends to data that the company has under its control.”108
3. Transparency
Consumers have a right to easily understandable and accessible information about privacy and security practices.109
Under the transparency principle, “companies should provide clear descriptions of what personal data they collect, why they need the data, how they will use it, when they will delete the data or de-identify it from consumers, and whether and for what purposes they may share personal data with third parties.”110These statements should be made “[a]t times and in
places that are most useful to enabling consumers to gain a meaningful understanding of privacy risks and the ability to exercise Individual Control.”111This means that the statements
should be made “visible to consumers when they are most relevant to understanding privacy risks and easily accessible when called for.”112The form of these notices should be “easy to
105. Id.
106. Id. at 13–14 (“For example, if consumers grant consent through a single action on their computers, they should be able to withdraw consent in a similar fashion.”). 107. Id. at 14. 108. Id. 109. Id. 110. Id. 111. Id. 112. Id.
read on the devices that consumers actually use to access their services.”113 According to the Administration, “[p]ersonal data
uses that are not consistent with the context of a company-to-consumer transaction or relationship deserve more prominent disclosure than uses that are integral to or commonly accepted in that context.”114
4. Respect for Context
Consumers have a right to expect that companies will collect, use, and disclose personal data in ways that are consistent with the context in which consumers provide the data.115
A cornerstone of the Consumer Privacy Bill of Rights, the respect for context principle holds that “[c]ompanies should limit their use and disclosure of personal data to those purposes that are consistent with both the relationship that they have with consumers and the context in which consumers originally disclosed the data, unless required by law to do otherwise.”116 This means that “[i]f companies will use or
disclose personal data for other purposes,” or “[i]f, subsequent to collection, companies decide to use or disclose personal data for purposes that are inconsistent with the context in which the data was disclosed,” then companies should provide heightened measures of transparency and individual choice.117
The Administration explains that the respect for context principle “emphasizes the importance of the relationship between a consumer and a company at the time consumers 113. Id. at 15. In the case of mobile devices, for instance, companies should “strive to present mobile consumers with the most relevant information in a manner that takes into account mobile device characteristics, such as small display sizes and privacy risks that are specific to mobile devices.” Id.
114. Id. at 14 (finding that distinguishing privacy notices along these lines “will better inform consumers of personal data uses that they have not anticipated,” “will give privacy-conscious consumers easy access to information that is relevant to them,” and “may also promote greater consistency in disclosures by companies in a given market and attract the attention of consumers who ordinarily would ignore privacy notices”).
115. Id. at 15. Respect for context, in part, derives from the OECD Framework’s purpose specification and use limitation principles. Id. at 16; ORG.FORECON. CO-OPERATION& DEV., supra note 72, at 14–15.
116. WHITEHOUSEPRIVACYREPORT, supra note 16, at 15. 117. Id.
disclose data, [but] also recognizes that this relationship may change over time in ways not foreseeable at the time of collection.”118 In such cases, “companies must provide
appropriate levels of transparency and individual choice— which may be more stringent than was necessary at the time of collection—before reusing personal data.”119 While such
context-specific application provides flexibility for companies, it requires them to consider what consumers are likely to understand about the companies’ practices, how the companies explain the roles of personal data in delivering their products and services, and the consumers’ attitudes, understanding, and level of sophistication.120 According to the Administration,
“[c]ontext should help to determine which personal data uses are likely to raise the greatest consumer privacy concerns” and “[t]he company-to-consumer relationship should guide companies’ decisions about which uses of personal data they will make most prominent in privacy notices.”121
5. Security
Consumers have a right to secure and responsible handling of personal data.122
Under the security principle, “[c]ompanies should assess the privacy and security risks associated with their personal data practices and maintain reasonable safeguards to control risks such as loss; unauthorized access, use, destruction, or modification; and improper disclosure.”123 The Administration
elaborates that “[t]he security precautions that are appropriate for a given company will depend on its lines of business, the
118. Id. at 16. 119. Id.
120. Id. at 16–17. For example, if a mobile game application collects the device’s unique identifier for the purposes of executing the game’s “save” function, such a collection is consistent with the consumer’s decision to use the application. If the company provides the unique identifier to third parties for online behavioral advertising, then the respect for context principle calls for the company to notify consumers and allow them to prevent the disclosure of personal data. Id. at 17.
121. Id. at 16. 122. Id. at 19. 123. Id.
kinds of personal data it collects, the likelihood of harm to consumers, and many other factors.”124
6. Access and Accuracy
Consumers have a right to access and correct personal data in usable formats, in a manner that is appropriate to the sensitivity of the data and the risk of adverse consequences to consumers if the data is inaccurate.125
According to the access and accuracy principle, companies “should use reasonable measures to ensure they maintain accurate personal data” and “provide consumers with reasonable access to personal data that they collect or maintain about them, as well as the appropriate means and opportunity to correct inaccurate data or request its deletion or use limitation.”126Further, in selecting the appropriate methods “to
maintain [data] accuracy and to provide access, correction, deletion, or suppression capabilities to consumers, companies may also consider the scale, scope, and sensitivity of the personal data that they collect or maintain and the likelihood that its use may expose consumers to financial, physical, or other material harm.”127These factors “help to determine what
kinds of access and correction facilities may be reasonable in a given context.”128
7. Focused Collection
Consumers have a right to reasonable limits on the personal data that companies collect and retain.129
The focused collection principle further states, “[c]ompanies should collect only as much personal data as they need to accomplish purposes specified under the Respect for Context principle,” and that they “should securely dispose of or
124. Id. 125. Id. 126. Id. 127. Id. 128. Id. at 20. 129. Id. at 21.
de-identify personal data once they no longer need it, unless they are under a legal obligation to do otherwise.”130 This
requires companies to “engage in considered decisions about the kinds of data they need to collect to accomplish specific purposes.”131
8. Accountability
Consumers have a right to have personal data handled by companies with appropriate measures in place to assure they adhere to the Consumer Privacy Bill of Rights.132
Within the report, the accountability principle lays out the ways in which “[c]ompanies should be accountable to enforcement authorities and consumers.”133 The accountability
principle “goes beyond external accountability to encompass practices through which companies prevent lapses in their privacy commitments or detect and remedy any lapses that may occur.”134Among other things, this means that companies
“should hold employees responsible for adhering to these principles” and should appropriately train them “to handle personal data consistently with these principles and regularly evaluate their performance in this regard.”135The appropriate
evaluation technique could be a full audit, conducted by the company or by an independent third party, or a more limited self-assessment, depending on the “size, complexity, and nature of a company’s business, as well as the sensitivity of the data involved.”136
130. Id.
131. Id. However, “as discussed under the Respect for Context principle, companies may find new uses for personal data after they collect it, provided they take appropriate measures of transparency and individual choice.” Id.
132. Id.
133. Id. at 21–22. 134. Id. at 22. 135. Id. at 21. 136. Id. at 22.
C. THE2012 FEDERALTRADECOMMISSIONPRIVACY FRAMEWORK
Over the past two decades, the FTC has been actively engaged in overseeing information privacy and security practices within the online consumer marketplace.137 In late
2009, former FTC Chairman Jon Leibowitz declared that the country was at a “watershed movement in privacy,” and that the time was ripe for the FTC to “take a broader look at privacy writ large.”138 Recognizing the “increase[ed] advances in
technology” that allowed for “rapid data collection and sharing that is often invisible to consumers,” the FTC sought to develop a framework that businesses could utilize to reduce the burden on consumers who want to protect their own privacy.139 In
2012, following a series of roundtable discussions and a period of public comment after the release of a preliminary report, the FTC issued Protecting Consumer Privacy in an Era of Rapid
Change: Recommendations for Businesses and Policymakers
(“FTC Report”).140The FTC Report was “intended to articulate
best practices for companies that collect and use consumer data,”141 and to assist companies in developing and
maintaining “processes and systems to operationalize privacy and data security practices within their business.”142
Central to the FTC Report is the FTC Framework, consisting of principles for companies to implement in order to 137. See FED. TRADE COMM’N, PRIVACY ONLINE: FAIR INFORMATION
PRACTICES IN THEELECTRONICMARKETPLACE: A REPORT TOCONGRESS i–iv (2000) (summarizing the FTC’s investigation of online privacy issues dating back to 1995).
138. Jon Leibowitz, Former Chairman, Fed. Trade Comm’n, Introductory Remarks at the FTC Privacy Roundtable (Dec. 7, 2009), available at http://www.ftc.gov/sites/default/files/documents/public_statements/introductor y-remarks-ftc-privacy-roundtable/091207privacyremarks.pdf (citing to Samuel D. Warren and Louis D. Brandeis’ publication, The Right to Privacy, in the Harvard Law Review, 4 HARV. L. REV. 193 (1890), and the surveillance abuses of the Nixon Administration as previous watershed moments in privacy).
139. Press Release, Fed. Trade Comm’n, FTC Staff Issues Privacy Report, Offers Framework for Consumers, Businesses, and Policymakers (Dec. 1, 2010) (on file with the FTC press release archive), available at http://www.ftc.gov/news-events/press-releases/2010/12/ftc-staff-issues-privacy -report-offers-framework-consumers.
140. 2012 FTC PRIVACYREPORT, supra note 17. 141. Id. at vii.
achieve best consumer privacy practices.143 The FTC Report
supplements the FTC Framework by providing in-depth commentary on the FTC Framework’s final and baseline principles and suggesting practical mechanisms to implement the FTC Framework.144 The FTC Framework’s best practices
are outlined in three areas—privacy by design, simplified consumer choice, and transparency—each of which delineates a “baseline principle,” followed by a set of “final principles” that guide companies on protecting consumer privacy.145
1. Scope
According to the FTC Report, “[t]he framework applies to all commercial entities that collect or use consumer data that can be reasonably linked to a specific consumer, computer, or other device, unless the entity collects only non-sensitive data from fewer than 5,000 consumers per year and does not share the data with third parties.”146 The scope in which the FTC
Framework applies is intentionally broad and intends to cover all entities collecting consumer data that can be reasonably linked to a specific consumer’s computer or device, whether the information is online or offline.147 Critical to the FTC
Framework’s scope is the requirement that consumer data be “reasonably linked to a specific consumer, computer, or other device.”148 The FTC Framework articulates that information
will not be considered “reasonably linked” if three criteria are met: “[f]irst, the company must take reasonable measures to ensure that the data is de-identified”; “[s]econd, a company must publicly commit to maintain and use the data in a de-identified fashion, and not to attempt to re-identify the data”; and “[t]hird, if a company makes such de-identified data available to other companies—whether service providers or
143. Id. at vii–ix.
144. See id. at iii–vi (outlining the FTC’s final report). 145. Id. at vii–viii.
146. Id. at 22.
147. See id. at 17–18. The FTC Privacy Report does note that some commercial sectors have statutory obligations already imposed upon them concerning proper data practices and that “the framework is meant to encourage best practices and is not intended to conflict with requirements of existing laws and regulations.” Id. at 16.
other third parties—it should contractually prohibit such entities from attempting to re-identify the data.”149
Additionally, the FTC Framework provides an exception for companies that collect non-sensitive data, for less than 5,000 consumers per year, and do not share that data with a third party.150 The FTC Framework refrains from providing a
set definition of what constitutes “sensitive” data, stating “whether a particular piece of data is sensitive may lie in the ‘eye of the beholder’ and may depend upon a number of subjective considerations.”151 However, the FTC Report does
find that at a minimum, sensitive data includes “data about children, financial and health information, Social Security numbers, and certain geolocation data.”152
2. Privacy by Design
Companies should promote consumer privacy throughout their organizations and at every stage of the development of their products and services.153
The first major baseline principle under the FTC Framework is “Privacy by Design.”154The concept of privacy by
design calls on companies to “build in” substantive privacy principles and procedural protections into everyday business operations.155 The privacy by design procedural principle
states, “[c]ompanies should maintain comprehensive data management procedures throughout the life cycle of their products and services.”156 The FTC Report suggests that this
principle can be achieved by implementing practices such as
149. Id. at 19–21. The FTC further specifies the first criterion, stating that it requires a company to “achieve a reasonable level of justified confidence that the data cannot reasonably be used to infer information about, or otherwise be linked to, a particular consumer, computer, or other device.” Id. (citations omitted). 150. Id. at 22. 151. Id. at 60. 152. Id. at 47 n.214. 153. Id. at 22. 154. Id. 155. Id. 156. Id. at 32.
accountability mechanisms to ensure that privacy issues are addressed throughout an organization and its products.157
These mechanisms are intended to ensure the proper implementation of the privacy by design substantive principles specifically, and the FTC Framework generally.158The privacy
by design procedural principle, thus, accompanies a substantive principle that articulates what data management procedures should be implemented. The privacy by design substantive principle states, “[c]ompanies should incorporate substantive privacy protections into their practices, such as data security, reasonable collection limits, sound retention practices, and data accuracy.”159
As the FTC Report notes, “[i]t is well settled that companies must provide reasonable security for consumer data.”160 While no specific security practices are detailed, the
FTC Report “calls on industry to develop and implement best data security practices for additional industry sectors and other types of consumer data.”161
In calling for “reasonable” collection limits, the FTC Report clarifies that “[c]ompanies should limit data collection to that which is consistent with the context of a particular transaction or the consumer’s relationship with the business, or as required or specifically authorized by law.”162 Data collection that is
inconsistent with the context of a particular transaction should be appropriately disclosed to consumers “at a relevant time and in a prominent manner—outside of a privacy policy or other legal document.”163 Similar to the White House Consumer
Privacy Bill of Rights Framework discussed above,164 limiting
data collection to the context of the transaction “is intended to help companies assess whether their data collection is consistent with what a consumer might expect.”165
157. Id. at 30–32. 158. Id. 159. Id. at 23. 160. Id. at 24. 161. Id. at 25. 162. Id. at 27.
163. Id. For a more in-depth discussion on consumer choice, see infra Part II.C.3.
164. See supra Part II.B.7.
